2026-07-18 · view entry permalink →
CVE-2025-40948/-40947/-40949 — Siemens RUGGEDCOM ROX II: Unit 42 chains three OT-switch flaws to persistent root
Unit 42 published a chained analysis (2026-07-17) of three vulnerabilities in Siemens RUGGEDCOM ROX II, the ruggedised OT switch/router family Siemens positions as a network-security boundary inside industrial networks — rail, utilities, water and manufacturing, including Swiss and European critical infrastructure (Unit 42, 2026-07-17). The chain moves from information disclosure to persistent root. Stage one, CVE-2025-40948 (CVSS 6.8), abuses a root-privileged daemon that invokes the xz utility with attacker-supplied parameters: supplying -f, -c and -d together turns xz into a cat equivalent, letting an attacker read any file on the device — configuration, password hashes, private keys (Unit 42, 2026-07-17). Stage two, CVE-2025-40947 (CVSS 7.5), is command injection in the feature-key signature-verification routine: the parsed signature string is inserted unsanitised into a gpgv command executed via system() as root, so a crafted feature-key file whose signature field carries a command-injection payload runs attacker code as root (typically after the attacker uploads a script through the web UI's normal feature-key upload). Stage three, CVE-2025-40949 (CVSS 9.1), is command injection in the web-management task scheduler — Siemens describes it as an "authenticated remote attacker" injecting commands that "execute arbitrary commands with root privileges" (Siemens ProductCERT SSA-081142, 2026-05-12) — writing malicious entries into the scheduler configuration for persistent, reboot-surviving root execution.
Siemens patched all three in firmware V2.17.1 across the ROX II family (MX5000/MX5000RE, the RX1400–RX1536 line, RX5000) and published advisories SSA-973901, SSA-078743 and SSA-081142; no in-the-wild exploitation is reported. The transferable lesson beyond this device family, per Unit 42, is the anti-pattern: a device invoking a general-purpose CLI utility (here xz) as root inside its own validation logic is a recurring OT/embedded-appliance weakness worth hunting for elsewhere.
Successful exploitation of this chain would allow an attacker to achieve full privilege escalation and persistent root-level access on these devices, which are critical components of industrial control networks.
Ruggedcom Rox contains an input validation vulnerability in the Scheduler functionality that could allow an authenticated remote attacker to execute arbitrary commands with root privileges on the underlying operating system.